EL839723704US 



SUN-P6991 



c 



Begin 





r 


Web Browser Accesses Web Site That Uses A 
Cookie 




105 



100 




110 



Browser Generates Cookie With 
Web Server URL And Web 
Server-Provided User Data 




z 



FIG. 1A 



120 




Cookie 



Server ID (URL) 

Data (May Be Authenticated Or Sealed) 
-E.g. Session Number 



FIG. 1B- Prior Art 



EL839723704US 



SUN-P6991 




FIG. 2 -Prior Art 



EL839723704US 



SUN-P6991 



C 



Begin 



) 



1 




Purchaser Writes A Check To Pay For Goods Or , 
Services 




f 


Vendor Requires Credentials That Will Be Appropriate 
For The Method Of User Authentication Needed To 
Accept Payment (e.g. Drivers License, ATM Card) 


1 


i 


Purchaser Provides Required Forms Of User 
Authentication 




f 



300 




305 




310 



315 



Vendor Verifies Authenticity, Truthfulness Of Credentials 





FIG. 3 - Prior Art 



EL839723704US 



SUN-P6991 



400 



Userl 



405 



User 2 



410 



X 



User 3 



415 



User 4 



420 



User 5 



UserX 



~7 



425 



435 




Service 
Provider 1 
Web Server 



440 



Service 
Provider 2 
Web Server 



445 



Service 
Provider 3 
Web Server 



450 



x 



Service 
Provider 4 
Web Server 



455 



X 



Service 
Provider 5 
Web Server 



Service 
Provider N 
Web Server 



460 



465 



Customer 
Jgatabastt - 



470 




Customer 
JJatabase^ 



475 



Customer 
Jjatabase^ 



480 



x 



Customer 
Jjatabasjt, 



490 



x 



Customer 
LPatabase^ 



495 



x 



Customer 
atabase. 



FIG. 4 - Prior Art 



EL839723704US 



SUN- 



Via Embedded URL 
Using A Service 
Provider-Created 
HTML Form 




510 









User Data 
Generator 


► 


User Database 






530 



Global Authenticator 



535 



FIG. 5 - Prior Art 



EL839723704US 



SUN-P6991 



600 



Userl 



605 



User 2 



610 



User 3 



615 



XT 



User 4 



620 



User 5 



625 



UserX 



630 



Global Authenticator 




Service 
Provider 1 
Web Server 



635 

v 



640 



Service 
Provider 2 
Web Server 



V 



Customer 

Data 
Generator 



Global 
Customer 



Global 
Authentication 
— Database * 



645 



Service 
Provider 3 
Web Server 



V 



675 




650 



Service 
Provider 4 
Web Server 



V 



655 



Service 
Provider 
Web Server 



7K 



660 



Service 
Provider N 
Web Server 



v 



FIG. 6 - Prior Art 



EL839723704US 



SUN-P6991 



730 



700 




Dynamic 
Credential Data 
Authentication 

© 

Dynamic 
\ Credential 
With 740 \ N Authentication 

Parameters, ^^-/i) \ Response 
Data And Dyna ^ \ \ 
Supporting credential DatV \ 



745 



Authentication 
Request 



Request For 
Service + 
Credential(s), 
Parameters & Data 



Can Make A More 
Refined [Localized] 
Credential Based 
On A More Generic 
redential 

715 



Note: Any Given EniitTIWay Assume A 
Role As A Customer, Service Provider Or 
Authority, Depending On The 
Circumstances 

Note: Each Step In The The Sequence 
May Be Separated In Time, And May 
Include Varied Computing Environments 



Service 

750 




Assesses 
Credentials 



One Particular Type Of 
Service: Providing A 
Credential 



FIG. 7 



EL839723704US 



SUN-P6991 




FIG. 8 



EL839723704US 



SUN-P6991 




Data 

Authentication 
Mechanism 



Credentiai ID 



Credential 
Cryptogram 



Credential Authority 
Peer Group ID 



Credential 
Parameters 



Credentiai Data 



Sealed (Encrypted) 
Credential Data 



Nested Credentials 



FIG. 9A 




May Be Returned As 
A Representation Of 
Full Credential 



May Be Stored 
Separately 



905 



945 




Data 

Authentication 
Mechanism 

955 

96<r 



Used As: 

-XML Entity 965 
-Serialized Data 
-Fields In HTTP Request Header 970 



Credential 
Cryptogram 



Credential Authority 
Peer Group ID 



Credentiai 
Parameters 



Credential Data 



Sealed (Encrypted) 
Credential Data 



Nested Credentials 



FIG. 9B 



Used As An ID, Computed 
f As Authenticator 

Entity That Signed The 
/Credential 



User Authentication Options 

Data Authentication Options 

Data Formats 

Sealing Options 

QOS ID - Maintained By 

Credential Authority 

Unsealed Data Is Used In 
Data Authentication, Or is 
Authenticated Separately 

Only Cryptograms Need To 
Be Authenticated To 
Perform Secure Nesting 



EL839723704US 



SUN-P6991 



C 



Generate Credential 
(Enrollment Process) 



1000 



2> 



Receive Request Including One Or More 
Credentials 



1005 



Process Credentials 



1010 



1015 




Fail? 



Yes 



Register Failure 



1025 



No 



Create New Credential As Requested 



1030 



Apply Failure Policy 



Return New Credential To User 



1020 



c 



End 



FIG. 10 



EL839723704US 



SUN-P6991 



C 



Process Credentials 



1100 



Perform Cryptographic Data Authentication Of 
Credential 




FIG. 11 



EL839723704US 



SUN-P6991 




FIG. 12 



EL839723704US 



1300 



1305 



c 



Assess Credential Data 




) 






r 


Determine Whether The Type Of Credential Data 
Presented Is Sufficient For The Request Made 


i 





Determine Whether The Credential Data 
Presented Matches The Request 




1325 



FIG. 13 



EL839723704US 



SUN-P6991 




FIG. 14 



EL839723704US 



SUN-P6991 



User 



Server 



C 



Use Credential To Obtain 
Services 



in ^ 



1500 



c 



Use Credential To Obtain 
Services 



Visit W 


eb Site 


i 


f 



y 



1505 



1545 



Present Credential(s) 




1540 



Service Request 
+ Credential(s) 



Receive Service Request And 
Credential(s) 



1550 



1565 



1560 



Process Credentials 



1555 



Service 
Denial 



Deny Service 





No r 

— <Success?, 



Yes 



Provide Service 



End 



3 



1535 



1525 



1575 



FIG. 15 



EL839723704US 



SUN-P6991 



Payment 
Authority 1 




Multiple IDs Available For User 

For Different Purposes /1602 



1604 1624 



1600 



X 



User 




Golfer 



1606 1626 



Military 



1608 1628 



Medical 
Patient 



1610 1630 



Student 



1612 1632 



investor 



1614 1634 



Employee 



1616 1636 



Alumnus 



1618 1638 



Payment 
Authority 2 



1620 1640 



Automobile 
Driver 



ID1 + 

Datal 



1622 



ID2 + 
Data2 



ID3 + 
Data3 



ID4 + 
Data4 



ID5 + 
DataS 



ID6 + 
Data6 



iD7 + 
Data7 



ID8 + 
Data8 



ID9 + 
Data9 



1D10 + 
Datal 0 



FIG. 



16 



EL839723704US 



SUN-P6991 



Authority 



1700 



User 



1702 



1704 
1706 
1708 
1710 
1712 

1714 



1716 



1718 



1720 



1720 



Secure User Data Storage 



User Data 1 



User Data 2 



User Data 3 



User Data 4 



User Data 5 



User Data 6 



User Data 7 



User Data 8 



User Data 9 



User Data 10 




Payment 1 



Golfers 
Assn. 



Military 



Medical 
Plan 



University 



Brokerage 
Firm 



Employer 



Alumni 
Assn. 



Payment 2 



Automobile 
Assn. 



1722 



1724 



1726 



1728 



1730 




1732 



1734 



1736 



1738 



1740 



FIG. 17 



EL839723704US 



SUN-P6991 



Generate 
Profile 



Web Site 
Service 



Smart 
Services 

Visits 

1844 



Generate 
User Data 



K 

1822 



1800 
1846 \ 



A 

1824 



1868 



Web Site 
Service 




Generate 
Profile 



Smart 
Services 

Visits 

1866 



Generate 
User Data 



f 



1838 



-» x, 1834 
Checks 

Credit Enrolls 



Authorizes 



Payment 
Agent 1 



7 

X 1810 
1836 



1826 



1840 

\ 

Ships 



Fulfillment 
Co. 



1814 



1828 



— (D 



Shipping 
Agent 



Delivers 



Delivers 



1854 Services 

Checks 
Enrolls Credit 



1856 



Payment 
Agent 2 



\ Au W zes 

1848 1812 M 
1858 



1816 



„ 1850 



K 

1808 



1860 



Fulfillment 
Co. 



1818 



1842 



1864 1820 



1862 
Ships 



Shipping 
Agent 



FIG. 18 



EL839723704US 



SUN-P6991 



C 



Begin 



1900 



1 


r 


User Receives User-Controlled Secure Storage 
Device 



v 




Storage Device 





Discard User Data 



V 



( End ) 



FIG. 19 



EL839723704US 



SUN-P6991 



User 

Use User Data To Obtain 
Services 



3 



C 



Server 

Use User Data To Obtain 
Services 



2000 



Visit Web Site 




r 



2005 



2035 



Present User Data 



Service Request + 
User Data 



) 



2030 



2055 



2050 



2040 





i 


Receive Service Request And 
User Data 




f 


Process User Data 




f 2045 



Service 
.Denial 



Deny Service 



No X >v 
— <Success?> 




2025 



2075 



2070 



FIG. 20 



EL839723704US 



SUN-P6991 



2100 



2105 



C 



Provide Service In Accordance 
With User Data 



1 




Receive User Data 




r 


Customize Web Site Based On User Data 







c 



End 



) 



FIG. 21 



EL839723704US 



SUN-P6991 



2200 



2205 



2210 



2215 



2220 



2225 



C 



Provide Service In Accordance 
With User Data 



Vendor Performs Payment Authorization Using Payment 
Data From User-Controlled Secure User Data Storage 



Vendor Creates A Fulfillment Record That Includes Order 
Information And The Shipping Information From The User- 
Controlled Secure User Data Storage 



Vendor Sends Fulfillment Record To Fulfillment Company 



Fulfillment Company Fulfills Order Using Shipping 
Information From Fulfillment Record 



Fulfillment Company Transfers Package To Shipping Agent 



Shipping Agent Delivers Package To Address In Shipping 

Information From User-Controlled Secure User Data 
Storage 



C 



End 



FIG. 22 



EL839723704US 



SUN-P6991 



(: 



Vendor Performs Payment Authorization Using Payment 
Data From Secure User Data Storage 



y 


f 


Vendor Sends Payment Request To Payment Clearing 
Agent Using The Payment Data From The Secure User 
Data Storage, Including The Amount To Be Charged In 
The Request 


} 


f 


Payment Clearing Agent Receives Payment Request And 
Amount To Be Charged 


} 


f 


Payment Clearing Agent Sends Response (e.g. 
Transaction ID And Amount Charged) 




* 



2300 




2305 




2310 




c 



End 



) 



FIG. 23 



EL839723704US 



SUN-P6991 



Authority 



2400 



X 



User 



2404 
2406 
2408 
2410 
2412 

2414 



2416 



2418 



2420 



2420 



2402 



Secure User Data Storage 



Service Credential 1 



Service Credential 2 



Service Credential 3 



Service Credential 4 



Service Credential 5 



Service Credential 6 



Service Credential 7 



Service Credential 8 



Service Credential 9 



Service Credential 
10 




Payment 1 



Golfers 
Assn. 



Military 



Medical 
Plan 



University 



Brokerage 
Firm 



Employer 



Alumni 
Assn. 



Payment 2 



Automobile 
Assn. 



2422 



2424 



2426 



2428 



2430 




2432 



2434 



2436 



2438 



2440 



FIG. 24 



EL839723704US 



SUN-P6991 



Generate 
Profile 



Web Site 
Service 



Smart 
Services 



Visits 

2544 



2530 

Generate 
Service 
Credential Shops 



A 

2506 

f 

2538 



Vendor 



2522 



2500 

_ 2546 \ 



User 



/I 

2524 



2568 



Web Site 
Service 



Secure Service 
Credential 
Storage 1 



Smart 
Services 2 532 

IT) 



Checks 
Credit 



2534 
Enrolls 



Authorizes 



Payment 
Agent 1 



T 

X 2510 
2536 



2526 



2540 

\ 

Ships 



Fulfillment 
Co. 



2514 



2528 ^ 

<2) 



Shipping 
Agent 



Generate 
Profile 



Smart 
Services 

Visits 

2566 



2552 

Generate 
Service 
Shops Credential 



K 

2502 



2508 




Delivers 



Delivers 



\ AUt ^ iZ6S 
2548 2512 /V 
2558 



2516 



^ 2550 



2560 



Fulfillment 
Co. 



2518 



2562 

4 

Ships 



Shipping 
Agent 



2542 



2564 



2520 



FIG. 25 



EL839723704US 



SUN-P6991 




FIG. 26 



EL839723704US 



SUN-P6991 



2702 



2704 



2706 
2708 

X 

2710 ' 
2712 
2714 1 



Logon 
Credential 



Credential Cryptogram 1 



Credential Authority Peer 
Group ID 



credential parameters = 
Type= Logon, Profile; 
QoS=username,password, 
frpfrv«0HAM-?00? 



Credential Data = Customer 
Profile [bit-Map] 



Sealed Credential Data = Null 



Nested Credentials 




z — Credential Cryptogram 2 



Credential Authority 
Peer Group ID = 
Credit Card 1 



Credential Parameters = 
Type=Payment,Credit 
Card 



Credential 
Data=Purchase Class 
Approved For 



Sealed Credential Data • 
Payment Acct. No., 
Credit Limit 



Nested Credentials = 
Null 



Credential Cryptogram 3 



Credential Authority 
Peer Group ID = 
Shipping Agent 1 



Credential Parameters : 
Type=shipping 



Credential Data = 
Location=xyz,service=ov 
ernight 



Sealed Credential Data = 
Shipping Agent Acct. 
No., Shipping Address 



Nested Credentials = 
Null 



2716 



Payment 
Credential 



2718 

v Shipping Agent 
f Credential 



-J 



FIG. 27 



EL839723704US 



SUN-P6991 



2800 



C 



Begin 



) 





i 


Receive Secure Service Credential Storage 
| Device (e.g. Java Card™ With Applet) 



2810 




Generate Service Credential (Enrollment 
Process) 



Store Service Credential Cryptogram & Credential Authority 

Peer Group ID (in Secure User Data Storage Or Store In 
Locker & Store Key To Locker On Secure User Data Storage) 



s y 



2825 




Use Service Credential To Obtain Services 



2830 



2815 



fs Credentials Yes >< Must \ Yes 

.Still Valid?^- S5 -K C, ;® d « n ,a ' 86 

Jpdatedj 



No 



Discard Service Credential 



c 



End 




Update Service 
Credential 




2840 



FIG. 28A 



EL839723704US 



SUN-P6991 



6 



User 

se Service Credential Stored Cjl 
User-Controlled Secure User 
ata Storage To Obtain Service: 



es/ 







Visit Web Site 




f 


Present Servi 


ce Credential 



ft 



Server 

se Service Credential Stored (ft 
User-Controlled Secure User 
ata Storage To Obtain Service 



Service Request + 
Service Credential 



Receive Service Request And 
Service Credential 



}[ 

Process Service Credential 




FIG. 28B 



EL839723704US 



SUN-P6991 



2900 



2905 



2910 



2915 



2920 



J, J: 



2925 



C 



Provide Service 




Vendor Performs Payment Authorization Using Nested 
Payment Credential Extracted From Service Credential 
Specific To What Is Being Bought 




Vendor Creates A Fulfillment Message That Includes Order 
Information And The Shipping Credential Extracted From 
The Customer Profile Credential 




Vendor Sends Fulfillment Message To Fulfillment Company 




Fulfillment Company Fulfills Order Using Nested Shipping 
Credential Extracted From Fulfillment Message 




Fulfillment Company Transfers Package To Shipping Agent 




Shipping Agent Delivers Package To Address Encrypted In 
Sealed Part Of Credential 



C 



End 



FIG. 29 



EL839723704US 



SUN-P6991 



3000 



3005 



3010 



Vendor Performs Payment Authorization Using Nested 
Payment Credential Extracted From Service Credential 
Specific To What Is Being Bought 




D 





\ 


t 


Vendor Sends Payment Request To Payment Clearing 
Agent Using The Nested Payment Credential From The 
Service Credential, Including The Amount To Be Charged 
In The Request 


y 




Payment Clearing Agent Decrypts Sealed Part Of Nested 
Credential 


} 


* 


Payment Clearing Agent Sends Response (e.g. 
Transaction ID And Amount Charged) 


y 





( 



End 



FIG. 30A 



EL839723704US 



SUN-P6991 



Authority 



User 



3050 



Smart Card 



User Data 1 



User Data 2 



User Data 3 



User Data 4 



User Data 5 



User Data 6 



User Data 7 



User Data 8 



User Data 9 



User Data 10 




Payment 1 



Golfers 
Assn. 



Military 



Medical 
Plan 



University 



Brokerage 
Firm 



Employer 



Alumni 
Assn. 



Payment 2 



Automobile 
Assn. 



FIG. 30B 



EL839723704US 



SUN-P6991 



Generate 
Profile 



Generate 
Profile 




3118 



3142 



3164 3120 



FIG. 31 



EL839723704US 



SUN-P6991 



Converter 



r 



Class 
Files 




3218 



3210 



3220 



Header 



Constant Pool 



X 



Method 



3214 



Storage Medium 



3224 




Export 
Files 




3216 3212 




3217 



Card Reader 



Installation Tool 



Terminal 




32 



3248 



3249 



I/O Port 



Microprocessor 



VM Processor 



ROM 



K 

3242 

3246 



Installation 
Tool 



EEPROM 



RAM -« 



3252 



3254 



Smart Card 



3250 



3222 



3226 



3240 



FIG. 32 



EL839723704US 



SUN-P6991 




FIG. 33A 



EL839723704US 



SUN-P6991 



Authority 



User 



3340 



3342 



3344 



3346 



3348 



3350 



3352 



3354 



3356 



3358 



2402 



Secure User Data Storage 



Service Credential 



Cookie 



Service Credential 



Data Format A 



Text File 



Cookie 



Data Format B 



Text File 



Service Credential 



Service Credential 




Payment 1 



Golfers 
Assn. 



Military 



Medical 
Plan 



University 



Brokerage 
Firm 



Employer 



Alumni 
Assn. 



Payment 2 



Automobile 
Assn. 



FIG. 33B 



EL839723704US 



SUN-P6991 



3400 




Randomized ID 



FIG. 34 



EL839723704US 



SUN-P6991 



E.g. Service Providers, 
Credential Authorities 
Shipping Agent, Payment 
Co., Order Fulfillment Co. 




3505 



Client Host 



3530 3535 

i 



3540 



Card Reader 









Smart 
Card 




i / n 



3550 




FIG. 35 



EL839723704US 



SUN-P6991 



3600 



^1 




3610 



3615 



3620 



3635 





Yes 

r 


Present Randomized Identifier To Service Portal 






Service Portal Sends A User Authentication 
Request To Identity Server Federation That 
Contains The Randomized Identifier 




r 


All Servers In Identity Server Peer Group Search 
For A Match 


3625 , 






Present Matching Entry Or Entries From 
Identity Server Federation To User 
Authentication Server Federation To 
Determine Single Valid User Data Entry 



3630 




Indicate No Match 



C 



End 



D 



FIG. 36 



EL839723704US 



SUN-P6991 



C 



Begin 



3700 



D 



3705 



3710 



ris 
O 



3720 



3730 



3715 

\JJse ID?X 




Yes 



Receive New Randomized ID 



Enroll For A Service 




f 


Receive Randomized ID j 




< 




Store Randomized ID 





Yes 

i 


Use Randomized ID To Obtain Services 


3725 } 


f 



FIG. 37 



EL839723704US 



SUN-P6991 



Internet 



3810 



3820 



Federated 
Identity 
Servers 



Enrollment 




Cell 
Phone 



FIG. 38 



EL839723704US 



SUN-P6991 



Credential Use 
Chain 



c 



Begin 



3910 



83 

u O 

<2 o 

o ® 



User Identity Credential 



3900 



Logon 
Process 



Receive User Data 
And Credentials 



Log-On Credential 



Service 
Request 



3915 



3905 



3925 




Get Fulfillment 


Yes 


Credential 


« < 

Consumption 

Request 






y 


f 


3920 


Consume Fulfillment 
Credential 






E.g. Stored On Hard Disk Or 
Personal Device, E.g. As Cookie. 
Required Parameters: 
User Data Access Credentials For 
Nested User Data Credentials 



Stored As "Session ID Cookie" On Client 
Host 

-Expiration="Some Time Soon" 
-Client Host= M Some IP Address" 

(Client Fixed To Logon Credential) 
(i.e.limited In Time And Place) 



Stored As Server- 
Specific Session ID 
Credential E.g. As 
Cookies On Client Host 
3935 



No 


Rights Key Credential 


> » 


3940 





3939 



3945 




Yes 



3955 



3960 



Store Rights Key 
Credential In Locker 



Locker Access 
Credential 



Store Rights Key 
Credential On Host/ 
Personal Device 



Store Locker Access 
Credential On Host/ 
Personal Device 



FIG. 39 



EL839723704US 



SUN-P6991 



4005 



Authenticate Only Part Of 
The Data 



Address Peer Group 



Credential/ 
Identification 
Server 1 




Income Statement Peer 
Group 



Credential/ 
Identification 
Server 2 



User 
Identification 
^ Data B 



Service 
Provider 




Payment Peer Group 



Credential/ 
Identification 
Server 3 




_4015 

Music Credential Peer 
Group , 



Credential/ 
Identification 
Server 5 



User 
Identification 
Data E 



Personal Credential 
Locker Peer Group 



Credential/ 
Identification 
Server 6 



FIG. 40 



EL839723704US 



SUN-P6991 



'Present Matching Entry Or Entries From 
Identity Server Federation To User 
Authentication Server Federation To 
Determine Single Valid User Data Entry 



4100 



For Each User Authentication Server, Retrieve A 
User Record For The User That Has Been Found 
By The Identification Server 



4105 



Can The 
Required QOS Be^ 
Met By Current User 
Authentication 
Server? 



Nc 



Request One Or More Other Cooperating 
User Authentication Server Perform Rest 
Of User Authentication (Create User 
Authentication Credential) 



} 


Yes 


Engage With The Client To Obtain Required QOS 






Return User Authentication Credential 


i 


r 



4110 



4115 



4120 



c 



End 



) 



FIG. 41 



EL839723704US 



SUN-P6991 



4200 



Resource Server 




4205 




IDs Of Rights Key 
Credentials That Provide 
Access To A Resource On 
' The Server 

-Credential Data Includes 
Cryptographic Keys 



Resource 1 



IDs Of Rights Key 
Credentials 



Resource 2 



IDs Of Rights Key 
Credentials 



Resource 3 



IDs Of Rights Key 
Credentials 



Resource 4 



IDs Of Rights Key 
Credentials 



Refer To Owner Of Resource 
FIG. 42A 



4210 4215 4220 




Resource 1 


IDs Of Rights Key 
Credentials 


Cryptographic Delivery 
Protection Mechanism 


Resource 2 


IDs Of Rights Key 
Credentials 


Cryptographic Delivery 
Protection Mechanism 


Resource 3 


IDs Of Rights Key 
Credentials 


Cryptographic Delivery 
Protection Mechanism 


Resource 4 


IDs Of Rights Key 
Credentials 


Cryptographic Delivery 
Protection Mechanism 


■ ■ ■ 


■ ■ ■ 


■ ■ ■ 



FIG. 42B 



EL839723704US 



SUN-P6991 



Resource Peer Group 




Resource 
Server 



Resource A 



4310 



Resource 




4320 




Resource 
Request + 
Rights Key(s) 




4315 



User Host 



4305 



FIG. 43A 4325 



Resource Peer Group 




Resource 
Server 



Resource A 



4335 



Resource 




4345 



1 XI 



Resource 
Request + 
Rights Key(s) 
+ Delivery 
Protection 
Mechanisi 




4340 



User Host 



E.g. Encrypted 
Connection To 
A Specific MP3 
Piayer 



4325 



4330 FIG. 43B 



Rights Key Credential 



4350 

4355 

4360 

4365 

4370 
4375 



Credential Cryptogram 



Credential Authority Peer 
Group ID 



Credential Parameters: 
Type="RightsKey" 



Credential Data = Key 
Data 



Sealed Credential 
Data=Nuil 



Nested Credentials=Null 



FIG. 43C 



EL839723704US 



SUN-P6991 



c 



Begin 



) 



1 




Send Resource Server A Resource Request 
Including A "Rights Key" Credential 




r 


Resource Server Matches Key With Identifier In 
Set Of Identifiers Associated With A Resource 


i 


4410 




Create New ID And Return To User 




1 


► 


Deliver Associ 


ated Resource 



4400 




4405 




4415 




4420 




c 



End 



3 



FIG. 44 



EL839723704US 



C 



Begin 



) 



1 




Send Resource Server A Resource Use Request 
Including A First "Rights Key" Credential And A 
Second "Rights Key" Credential 


y 




Resource Server Matches Both Keys With 
Identifiers In Set Of Identifiers Associated With A 
Resource 




4510 




Yes 



Create New ID And Deliver To its User 



Deliver Associated Resource 



C 



End 



FIG. 45 



EL839723704US 



SUN-P6991 



4600 



4620 




4625 



4630 






HTTP://VVWW.SomeResourceSeiverPeerGroup/KinclOfResourceDirectory/Any?RightsKeylD=ablargai433klj 

FIG. 46A 



4605 



HTTP Message 




Header: 

RightsKey="Rights Key Credential Data- 



Body 



FIG. 46B 



Smart Card 



4610 





4615 



Music Rights Management Applet 



Music Resource 


Rights 


Rights 


Rights 


Rights 


Server ID 


Key 


Key 


Key 


Key ; 



4620 




z 



E.g. 1 Per Music Title 



FIG. 46C 



EL839723704US 



SUN-P6991 




FIG. 46D 



EL839723704US 



SUN-P6991 



Dynamic Aggregation 

(From Service 
Provider's Perspective) 



4700 



4705 



4710 



4715 



4720 



c 



Begin 




) 









r 


Service Provider Receives Service Request And 
Associated User Data 




F 


Collect User Profile information 




r 


Present User Data And User Profile Information 
To Authority 


l 


r 


Service Provider Receives Approximated User 
Information From Authority 






Return Approximated User Information To User 




r 



c 



End 



) 



FIG. 47 



EL839723704US 



Static 
Aggregation 
(From Authority's 
Perspective) 




V 



Receive User Data 



Apply Aggregation Policy To Obtain 
Approximated User Information Based On The 
User Data 



Return Approximated User Data To The User 



J 



FIG. 48 



EL839723704US 



SUN-P6991 



4905 



Web Server 



4910 



Shared 
Secret 




I 




I 


J 


Cookie 






Cookie 
Processing Logic 





Reconfigured 
Cookie 



4900 




4915 




4930 



4935 




Computer / 
Terminal 



Cookie 
Request 




Card Reader 



._L_ 



Packet 
Sniffer 



Cookie 
Request 



4945 




4940 



4925 



Downloaded 
From Trusted 
Source 



Reconfigured 
Cookie 




Shared 
Secret 




i 


Li 


I 




Cookie 


Cookie Processing 
Logic 






4955 



4960 



FIG. 49 



EL839723704US 



SUN-P6991 



5000 



5005 



5065 




5010 



Secret 




I 


I 


i 




Cookie 






Cookie 
j Processing Logic 





Reconfigured 
Cookie 



5015 




Other Embodiments: 

1. Attach Timestamp To Cookie & 
Don't Process If Stale 

2. Cookie Management Credential 

3. Non-Managed/Non-Processed 
Cookies Oust Cookies On A Card) 



5030 



5035 




Computer / 
Terminal 



Cookie 
Request 




Card Reader 



Packet 
Sniffer 



Cookie 
Request 




5045 
5040 5050 




5025 



Downloaded From 
Trusted Source 
During Enrollment 
Process 



Reconfigured 
Cookie 



Smart Card 



Applet 



Cookie 
Update 
Logic 



16 



22 



Cookie 



Cookie Processing 
Logic 

S 



IS 



5055 



5060 



FIG. 50 



EL839723704US 



SUN-P6991 



Card 



Browser 



Server 



c 



Begin 



Card Placed In Card Reader 



Browser Access Web Site 




5105 «- 




Request Cookie From Card 



5110 



Reconfigure Cookie Bit Pattern 

— * 



Return Cookie 



5125 



Return "Null" 



5130 



c 



Cookie 



5145 



C 



Begin 



Get Cookie Off Card 




| Send Cookie To Server 



End 




FIG. 51 



